Author: jra Date: 2007-07-17 23:01:02 +0000 (Tue, 17 Jul 2007) New Revision: 23939
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23939 Log: Fixes for notify returns. Returned param value must fix inside max_param or return NT_STATUS_OK. Jeremy. Modified: branches/SAMBA_3_0_25/source/smbd/notify.c branches/SAMBA_3_0_25/source/smbd/nttrans.c branches/SAMBA_3_2/source/smbd/notify.c branches/SAMBA_3_2/source/smbd/nttrans.c branches/SAMBA_3_2_0/source/smbd/notify.c branches/SAMBA_3_2_0/source/smbd/nttrans.c Changeset: Modified: branches/SAMBA_3_0_25/source/smbd/notify.c =================================================================== --- branches/SAMBA_3_0_25/source/smbd/notify.c 2007-07-17 21:55:31 UTC (rev 23938) +++ branches/SAMBA_3_0_25/source/smbd/notify.c 2007-07-17 23:01:02 UTC (rev 23939) @@ -22,15 +22,12 @@ #include "includes.h" -/* Max size we can send to client in a notify response. */ -extern int max_send; - struct notify_change_request { struct notify_change_request *prev, *next; struct files_struct *fsp; /* backpointer for cancel by mid */ char request_buf[smb_size]; uint32 filter; - uint32 current_bufsize; + uint32 max_param; struct notify_mid_map *mid_map; void *backend_data; }; @@ -62,8 +59,9 @@ } static BOOL notify_marshall_changes(int num_changes, - struct notify_change *changes, - prs_struct *ps) + uint32 max_offset, + struct notify_change *changes, + prs_struct *ps) { int i; UNISTR uni_name; @@ -113,6 +111,11 @@ prs_set_offset(ps, prs_offset(ps)-2); SAFE_FREE(uni_name.buffer); + + if (prs_offset(ps) > max_offset) { + /* Too much data for client. */ + return False; + } } return True; @@ -148,7 +151,7 @@ "failed."); } -void change_notify_reply(const char *request_buf, +void change_notify_reply(const char *request_buf, uint32 max_param, struct notify_change_buf *notify_buf) { char *outbuf = NULL; @@ -160,16 +163,10 @@ return; } - if (!prs_init(&ps, 0, NULL, False) - || !notify_marshall_changes(notify_buf->num_changes, - notify_buf->changes, &ps)) { - change_notify_reply_packet(request_buf, NT_STATUS_NO_MEMORY); - goto done; - } + prs_init(&ps, 0, NULL, False); - buflen = smb_size+38+prs_offset(&ps) + 4 /* padding */; - - if (buflen > max_send) { + if (!notify_marshall_changes(notify_buf->num_changes, max_param, + notify_buf->changes, &ps)) { /* * We exceed what the client is willing to accept. Send * nothing. @@ -238,7 +235,7 @@ return status; } -NTSTATUS change_notify_add_request(const char *inbuf, +NTSTATUS change_notify_add_request(const char *inbuf, uint32 max_param, uint32 filter, BOOL recursive, struct files_struct *fsp) { @@ -255,11 +252,11 @@ map->req = request; memcpy(request->request_buf, inbuf, sizeof(request->request_buf)); - request->current_bufsize = 0; + request->max_param = max_param; request->filter = filter; request->fsp = fsp; request->backend_data = NULL; - + DLIST_ADD_END(fsp->notify->requests, request, struct notify_change_request *); @@ -431,6 +428,7 @@ */ change_notify_reply(fsp->notify->requests->request_buf, + fsp->notify->requests->max_param, fsp->notify); change_notify_remove_request(fsp->notify->requests); Modified: branches/SAMBA_3_0_25/source/smbd/nttrans.c =================================================================== --- branches/SAMBA_3_0_25/source/smbd/nttrans.c 2007-07-17 21:55:31 UTC (rev 23938) +++ branches/SAMBA_3_0_25/source/smbd/nttrans.c 2007-07-17 23:01:02 UTC (rev 23939) @@ -1979,7 +1979,7 @@ * here. */ - change_notify_reply(inbuf, fsp->notify); + change_notify_reply(inbuf, max_param_count, fsp->notify); /* * change_notify_reply() above has independently sent its @@ -1992,7 +1992,8 @@ * No changes pending, queue the request */ - status = change_notify_add_request(inbuf, filter, recursive, fsp); + status = change_notify_add_request(inbuf, max_param_count, filter, + recursive, fsp); if (!NT_STATUS_IS_OK(status)) { return ERROR_NT(status); } Modified: branches/SAMBA_3_2/source/smbd/notify.c =================================================================== --- branches/SAMBA_3_2/source/smbd/notify.c 2007-07-17 21:55:31 UTC (rev 23938) +++ branches/SAMBA_3_2/source/smbd/notify.c 2007-07-17 23:01:02 UTC (rev 23939) @@ -21,15 +21,12 @@ #include "includes.h" -/* Max size we can send to client in a notify response. */ -extern int max_send; - struct notify_change_request { struct notify_change_request *prev, *next; struct files_struct *fsp; /* backpointer for cancel by mid */ char request_buf[smb_size]; uint32 filter; - uint32 current_bufsize; + uint32 max_param; struct notify_mid_map *mid_map; void *backend_data; }; @@ -61,8 +58,9 @@ } static BOOL notify_marshall_changes(int num_changes, - struct notify_change *changes, - prs_struct *ps) + uint32 max_offset, + struct notify_change *changes, + prs_struct *ps) { int i; UNISTR uni_name; @@ -112,6 +110,11 @@ prs_set_offset(ps, prs_offset(ps)-2); SAFE_FREE(uni_name.buffer); + + if (prs_offset(ps) > max_offset) { + /* Too much data for client. */ + return False; + } } return True; @@ -148,7 +151,7 @@ "failed."); } -void change_notify_reply(const char *request_buf, +void change_notify_reply(const char *request_buf, uint32 max_param, struct notify_change_buf *notify_buf) { char *outbuf = NULL; @@ -160,16 +163,10 @@ return; } - if (!prs_init(&ps, 0, NULL, False) - || !notify_marshall_changes(notify_buf->num_changes, - notify_buf->changes, &ps)) { - change_notify_reply_packet(request_buf, NT_STATUS_NO_MEMORY); - goto done; - } + prs_init(&ps, 0, NULL, False); - buflen = smb_size+38+prs_offset(&ps) + 4 /* padding */; - - if (buflen > max_send) { + if (!notify_marshall_changes(notify_buf->num_changes, max_param, + notify_buf->changes, &ps)) { /* * We exceed what the client is willing to accept. Send * nothing. @@ -238,7 +235,7 @@ return status; } -NTSTATUS change_notify_add_request(const char *inbuf, +NTSTATUS change_notify_add_request(const char *inbuf, uint32 max_param, uint32 filter, BOOL recursive, struct files_struct *fsp) { @@ -255,11 +252,11 @@ map->req = request; memcpy(request->request_buf, inbuf, sizeof(request->request_buf)); - request->current_bufsize = 0; + request->max_param = max_param; request->filter = filter; request->fsp = fsp; request->backend_data = NULL; - + DLIST_ADD_END(fsp->notify->requests, request, struct notify_change_request *); @@ -431,6 +428,7 @@ */ change_notify_reply(fsp->notify->requests->request_buf, + fsp->notify->requests->max_param, fsp->notify); change_notify_remove_request(fsp->notify->requests); Modified: branches/SAMBA_3_2/source/smbd/nttrans.c =================================================================== --- branches/SAMBA_3_2/source/smbd/nttrans.c 2007-07-17 21:55:31 UTC (rev 23938) +++ branches/SAMBA_3_2/source/smbd/nttrans.c 2007-07-17 23:01:02 UTC (rev 23939) @@ -2045,7 +2045,7 @@ * here. */ - change_notify_reply(inbuf, fsp->notify); + change_notify_reply(inbuf, max_param_count, fsp->notify); /* * change_notify_reply() above has independently sent its @@ -2058,7 +2058,8 @@ * No changes pending, queue the request */ - status = change_notify_add_request(inbuf, filter, recursive, fsp); + status = change_notify_add_request(inbuf, max_param_count, filter, + recursive, fsp); if (!NT_STATUS_IS_OK(status)) { return ERROR_NT(status); } Modified: branches/SAMBA_3_2_0/source/smbd/notify.c =================================================================== --- branches/SAMBA_3_2_0/source/smbd/notify.c 2007-07-17 21:55:31 UTC (rev 23938) +++ branches/SAMBA_3_2_0/source/smbd/notify.c 2007-07-17 23:01:02 UTC (rev 23939) @@ -21,15 +21,12 @@ #include "includes.h" -/* Max size we can send to client in a notify response. */ -extern int max_send; - struct notify_change_request { struct notify_change_request *prev, *next; struct files_struct *fsp; /* backpointer for cancel by mid */ char request_buf[smb_size]; uint32 filter; - uint32 current_bufsize; + uint32 max_param; struct notify_mid_map *mid_map; void *backend_data; }; @@ -61,8 +58,9 @@ } static BOOL notify_marshall_changes(int num_changes, - struct notify_change *changes, - prs_struct *ps) + uint32 max_offset, + struct notify_change *changes, + prs_struct *ps) { int i; UNISTR uni_name; @@ -112,6 +110,11 @@ prs_set_offset(ps, prs_offset(ps)-2); SAFE_FREE(uni_name.buffer); + + if (prs_offset(ps) > max_offset) { + /* Too much data for client. */ + return False; + } } return True; @@ -147,7 +150,7 @@ "failed."); } -void change_notify_reply(const char *request_buf, +void change_notify_reply(const char *request_buf, uint32 max_param, struct notify_change_buf *notify_buf) { char *outbuf = NULL; @@ -159,16 +162,10 @@ return; } - if (!prs_init(&ps, 0, NULL, False) - || !notify_marshall_changes(notify_buf->num_changes, - notify_buf->changes, &ps)) { - change_notify_reply_packet(request_buf, NT_STATUS_NO_MEMORY); - goto done; - } + prs_init(&ps, 0, NULL, False); - buflen = smb_size+38+prs_offset(&ps) + 4 /* padding */; - - if (buflen > max_send) { + if (!notify_marshall_changes(notify_buf->num_changes, max_param, + notify_buf->changes, &ps)) { /* * We exceed what the client is willing to accept. Send * nothing. @@ -237,7 +234,7 @@ return status; } -NTSTATUS change_notify_add_request(const char *inbuf, +NTSTATUS change_notify_add_request(const char *inbuf, uint32 max_param, uint32 filter, BOOL recursive, struct files_struct *fsp) { @@ -254,11 +251,11 @@ map->req = request; memcpy(request->request_buf, inbuf, sizeof(request->request_buf)); - request->current_bufsize = 0; + request->max_param = max_param; request->filter = filter; request->fsp = fsp; request->backend_data = NULL; - + DLIST_ADD_END(fsp->notify->requests, request, struct notify_change_request *); @@ -430,6 +427,7 @@ */ change_notify_reply(fsp->notify->requests->request_buf, + fsp->notify->requests->max_param, fsp->notify); change_notify_remove_request(fsp->notify->requests); Modified: branches/SAMBA_3_2_0/source/smbd/nttrans.c =================================================================== --- branches/SAMBA_3_2_0/source/smbd/nttrans.c 2007-07-17 21:55:31 UTC (rev 23938) +++ branches/SAMBA_3_2_0/source/smbd/nttrans.c 2007-07-17 23:01:02 UTC (rev 23939) @@ -2039,7 +2039,7 @@ * here. */ - change_notify_reply(inbuf, fsp->notify); + change_notify_reply(inbuf, max_param_count, fsp->notify); /* * change_notify_reply() above has independently sent its @@ -2052,7 +2052,8 @@ * No changes pending, queue the request */ - status = change_notify_add_request(inbuf, filter, recursive, fsp); + status = change_notify_add_request(inbuf, max_param_count, filter, + recursive, fsp); if (!NT_STATUS_IS_OK(status)) { return ERROR_NT(status); }
